The February cyberattack on Change Healthcare — which leaked up to a third of all Americans’ health data to the dark web and cost parent company UnitedHealthcare $22 million in ransom payments to hackers — demonstrates the wide-reaching and devastating impact that cybercrime can have on businesses and individuals.
And the problem keeps growing. Beazley’s 2024 Cyber Risk Predictions-Latest Trends report says business email compromise has increased 18% between 2021 and 2023, and incidents of data exfiltration are on the rise.
But cybersecurity experts at Northeast Wisconsin companies say business leaders can be proactive in fighting the growing threat, including through keeping employees up-to-date and aware of common cyberattack attempts like phishing.
Brandon Vincent, IT security manager at Green Bay’s KI, says he has “absolutely” seen an increase in cyberattack attempts, not only at KI, but targeted toward his personal accounts or those of friends and family. “It’s everywhere. And it affects businesses and consumers personally.”
Phishing detection
Phishing, in which fraudulent emails are made to look like they’re from legitimate companies to try and gather personal information from their targets, is one of the top methods of cyberattack, largely because it’s easy, Vincent says.
“It only takes one person to click on a phishing email,” he says. “They get access to your account, your password. And once they have an in, they can quietly search and detect things within your network and find other vulnerabilities to exploit.”
Part of the danger is that once the attackers are in, the breach may go undetected for months while the attacker quietly gathers information.
“They gather as much information as they can, and you end up getting hit with ransomware where they encrypt your servers, your backups,” Vincent says. “They basically take you down and your only option sometimes is to pay the ransom, which can be in the millions of dollars.”
Cyberattacks are “so much more sophisticated and automated than I think some people realize,” Vincent says. Attackers can purchase ransomware services on the dark web. “So it’s really incredible and scary, honestly, how sophisticated these things have become.”
KI, like many companies of its size, hosts security awareness training annually for its 1,600 or so employees, as well as offers remedial training programs for those employees who fail internal phishing tests.
“At the end of the day, we’re trying to educate and help everybody be more responsible when it comes to technology,” Vincent says. While that protects the company, “they can take these things home, too, and use them in their personal lives.”
It’s important for employees to know that even if they accidentally click on a real phishing attempt, they “shouldn’t feel embarrassed or worried that they’re going to get in trouble,” Vincent says. “The best thing is to contact the IT department, so they can take a look at it right away.”
Layered approach
For other businesses, Vincent says it’s more important than ever to take a layered approach to security. That might include having different systems or platforms in place, different policies and software.
KI has committed more resources toward cybersecurity, including adding a dedicated cybersecurity team of three as well as adding new tools and platforms that it continues to build upon, Vincent says. The company has dealt with a few minor incidents that its layered security systems have been able to catch. “We’ve been lucky that we haven’t had any issues, and we’ve caught a few things before they became a problem.”
With a workforce that’s 80% remote, J.J. Keller & Associates has had to place a particular focus on cybersecurity concerns, says Andy Teska, senior data security engineer. It has multiple safeguards in place and conducts annual penetration testing, in which an outside company is hired to test both internal and external networks for vulnerabilities and security gaps.
“They’re just looking for weaknesses or issues around the way the setup is that other people would be able to exploit,” Teska says. “So we’re trying to be a little bit proactive and patch things before someone else finds them.”
The company, which has about 2,200 employees, is also trying to rely less on passwords and codes sent via text, moving instead into other systems like face ID and PINs, he says.
The company also hosts monthly phishing simulations and annual training in phishing, data security and computer security. All employees must use devices managed by J.J. Keller or they can’t access company systems. “Then if you leave or whatever, we can remotely lock the computer,” Teska says. “We can remotely wipe the computer too.”
Teska says companies in general need to boost security training, and it shouldn’t be one-size-fits-all. “Accounting is going to get phishing emails that are different than what IT or the executive committee or sales would get,” he says.
The impacts of each are also much different.
J.J. Keller also has had to manage vulnerabilities from terminated employees, from those who are working from overseas against company policy or interviewees who have misrepresented who they are.
In one case, Teska says the company discovered the laptop of a terminated employee was no longer in the United States. The company looked more closely at other devices, which led to the discovery that a current employee had moved to Europe without telling anyone. That person was using a hardware VPN (virtual private network) to route their activity through Florida to try to cover the move.
“Now that we are more aggressive with this tool, they were caught the first day that they tried to use their computer,” he says.
The company isn’t set up to have international employees because of HR-related regulations and laws around tax withholding, paid time off, medical leave and other areas, Teska says. Additionally, “do you trust someone that’s saying they’re in Florida, but they’re really in Europe?”
The company does employ contractors from outside the U.S., but it blocks countries where they know there aren’t any contractors or customers, Teska says.
There also have been interviewees who didn’t have the skill set they claimed to have, which has the HR department taking extra measures to verify the identity of applicants.
Another particularly bold social engineering attack has an attacker impersonating an employee to gain access to information. Or employees will get a text message from someone purporting to be CEO Rustin Keller asking for a favor.
“Rustin has said repeatedly, ‘I will not send you a text message,’ but people get them and you want to respond. It’s human nature,” Teska says. “‘Oh, it’s the CEO; I’m going to help him out.’”
To help counter those attacks, J.J. Keller has kept its service desk up to date with instructions on verification. J.J. Keller has increased investment in cybersecurity during the past few years, Teska says. “We’ve hired another person and we’ve been investing in some additional software, and we’re trying to be planful. … We want to make sure that we’re getting the right tools and the tools we can manage and understand.”
Best-practice protections
M3 Insurance’s Director of Cyber Liability Matthew Thomson and his team advise business clients of all sizes on cybersecurity risk management, cyber insurance and claims resulting from email compromise, ransomware or other incidents.
Thomson says his team is starting to see more businesses require cyber insurance as they enter into contracts with other businesses and connected systems are involved, so that both sides know they’re protected.
“Cyber insurance has become important to make sure that [businesses] have some form of coverage to fall back on if — or many would say when — a cyber incident happens,” Thomson says.
“Both within M3’s client base, but also more broadly, some of the data that we see from the cyber insurance industry is that the number of business email compromise and ransomware claims is definitely up,” Thomson says.
Thomson says the number of cyberattacks dipped slightly in 2022, largely attributed to the war between Ukraine and Russia, as many of the cybercriminal gangs operated out of that region but have since relocated elsewhere. “We saw claims spike right back up in 2023, and 2024 is trending even higher than 2023,” he says. Additionally, these criminals are starting to employ AI to create more believable phishing emails and locate and take advantage of more vulnerabilities.
And while we mainly hear about cyberattacks at large companies like Change Healthcare, any size company is at risk. “By having computer systems and by transacting with other businesses or the individual customer, you are a target,” Thomson says.
There is some positive news, however — in the past couple of years, federal investigation agencies “have made some waves in the criminal underground of taking down some of the digital infrastructure that those criminal gangs use,” Thomson says. “And there’s more collaboration amongst countries and their different intelligence agencies to try and put pressure and interrupt those activities of those cyber criminals.”
Companies must continue to be proactive as well, including improving employee awareness and setting up best-practice cyber protections, he says. That includes cloud backups, AI solutions that can detect phishing and multi-factor authentication — which by itself could have prevented or reduced the impact of many cyber events, including the one at Change Healthcare.
KI’s Vincent says regular events like the NEW Digital Alliance cybersecurity roundtables are key for sharing ideas and information with each other. “We’re all fighting the same battles,” he says, “so the more we can share and help each other, the stronger we’ll be.”
